Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XII - Issue #22

March 19, 2010

Kevin Mandia just did an incredible webcast on the Advanced Persistent Threat and how it works and what you can do about it. If you work anywhere in the critical infrastructure or supporting the critical infrastructure, you'll want to know this. He's doing it again at the Control Systems Summit in ten days. http://www.sans.org/scada-security-summit-2010/ That's also where you'll hear how NERC CIP compliance will be transformed over the next months.

TOP OF THE NEWS

The latest version of a Senate cyber security bill removes a provision that granted the President power to shut down Internet access and transit if the country comes under cyber attack, although the President would still have the authority to declare a cyber security emergency. The bill also calls for government officials to work with the owners and operators of critical infrastructure systems to establish a cyber attack response plan. The legislation is sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine). This is the fourth revision of the legislation, which was originally introduced last April. -http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=224000085-http://www.nextgov.com/nextgov/ng_20100317_1762.php?oref=topnews-http://www.scmagazineus.com/revised-draft-of-cybersecurity-act-introduced-in-senate/article/166049/[Editor's Note (Paller): This bill is a harbinger of huge changes in cyber security - especially the shift from anyone being able to call him or herself a security "expert" and in transforming colleges from their current state of ignoring secure coding in their core courses to leading the nation in ensuring every graduate who learns coding knows how to write code securely. A real triumph of bipartisanship. ]

One quarter of school-aged children in the UK admitted to accessing other people's Facebook or web-based email accounts. Seventy-eight percent of the students said that breaking into others' accounts was wrong and 53 percent said they believed it was illegal. The reasons most often given for the unauthorized account access were just for fun and mischief. Twenty percent of the students believed they could make money breaking into others' accounts, and five percent envisioned making a career out of cyber attacks. -http://www.theregister.co.uk/2010/03/18/uk_teenage_hacker_survey/[Editor's Note (Schultz): Dismal as these findings may be, they are valuable in showing us just how far we have to go regarding cybersecurity education for young people. ]

*************************** Sponsored Links *************************** 1) SANS Inquires... Which information security products, services and providers would you like to hear more about? Answer a short 3 question survey and be automatically entered to win a $50 Amazon gift card. http://www.sans.org/info/56749

THE REST OF THE WEEK'S NEWS

Interview With Former Pennsylvania CISO Maley (March 18, 2010)

Robert Maley, the former CISO of Pennsylvania who lost his job after he discussed a cyber security incident on a panel at the RSA conference, says that while what he said did not put state IT systems at risk, he was wrong to have spoken of the incident and he will not appeal his firing. In an interview with Jaikumar Vijayan, Maley describes his reasons for talking about the incident, and explains that the vulnerability in the PennDOT IT system has been fixed. He does not regret having spoken and says that he "hope[s ] we can find ways that we can share incidents like this successfully, ... [that ] we can be more open about what's really going on to benefit the good guys, because I think the bad guys have no problem sharing information with each other." -http://www.computerworld.com/s/article/9173078/Fired_CISO_says_his_comments_never_put_Penn._s_data_at_risk_?taxonomyId=84[Editor's Note (Pescatore): This one is pretty cut and dried: he admits consciously violating a policy where he understood the consequences. Doing it this way actually makes it *harder* for others to share information - more fear of punitive reaction. ]

Former Employee Disables 100+ Cars Via Computer (March 17, 2010)

Police in Austin, Texas have arrested Omar Ramos-Lopez for allegedly accessing a computer system at Texas Auto Center and disabling the ignition systems on more than 100 cars. Ramos-Lopez was laid off from the Texas Auto Center in February. The company uses a system to disable cars that have not been paid for; a device installed under the car's hood allows someone with access to the computer system to disable the vehicle's ignition system or start the car's horn honking, which can be stopped only by removing the battery. The company received reports of problems for five days before resetting the system's password. Examination of access logs led investigators to Ramos-Lopez. Although his account was disabled when he was let go, he used another employee's account to access the system. -http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/-http://www.msnbc.msn.com/id/35919648/ns/technology_and_science-security/

A report conducted on behalf of the International Chamber of Commerce says that illegal filesharing could cost European countries 1.2 million jobs and 240 billion euros over the next five years. According to the report, the UK alone lost 1.4 billion euros in the creative industries in 2008, all due to piracy. Trades Union Congress (TUC) General Secretary Brendan Barber said that "if there were ever proof needed to demonstrate why the Digital Economy Bill is imperative for the protection of our creative industries, this report is it." The report gathered data from European Union countries, the World Intellectual Property Organization, and Eurostat. The analysis describes a worst case scenario based on consumer web traffic increasing 24 percent annually. -http://news.bbc.co.uk/2/hi/technology/8573162.stm-http://www.computerweekly.com/Articles/2010/03/18/240644/Online-piracy-could-cost-240bn-and-1.2-million-jobs-by.htm

Second Vodafone HTC Magic Found to be Infected with Malware (March 17 & 18, 2010)

Troyak Playing Hide-and-Seek (March 17, 2010)

Internet service provider (ISP) Troyak is fighting hard to stay alive after its upstream providers severed its connectivity. Troyak is notorious for supporting traffic associated with cybercrime; in particular, Troyak and another ISP, Group 3, supported 90 of the command and control servers associated with the Zeus botnet. Troyak has been bouncing from ISP to ISP to find a way to carry its traffic, but this is becoming more and more difficult, as its reputation becomes more widely known. Researchers have noted that some of the traffic that flowed over Troyak is now being carried by an entity called SAINTVPN that claims to be in St. Petersburg, Russia. There is speculation that Troyak's operators have regrouped under a new name. -http://www.computerworld.com/s/article/9172198/After_weeklong_fight_rogue_ISP_Troyak_struggles_for_life?source=CTWNLE_nlt_pm_2010-03-17[Editor's Note (Pescatore): Take-downs aren't the answer to bot nets or malware, but ISPs having voluntary standards that require all ISPs to drop obviously criminal traffic originating from their service or face de-peering is badly, badly needed. Imagine if on the power grid, any electrical provider could start pumping 330v 40hz electricity onto the grid. ]

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/